<p>Amazon Simple Notification Service (SNS) is a managed messaging service for application-to-application (A2A) and application-to-person (A2P)
communication. SNS topics allows publisher systems to fanout messages to a large number of subscriber systems. Amazon SNS allows to encrypt messages
when they are received. In the case that adversaries gain physical access to the storage medium or otherwise leak a message they are not able to
access the data.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The topic contains sensitive data that could cause harm when leaked. </li>
  <li> There are compliance requirements for the service to store data encrypted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It is recommended to encrypt SNS topics that contain sensitive information.</p>
<p>To do so, create a master key and assign the SNS topic to it. Note that this system does not encrypt the following:</p>
<ul>
  <li> Topic metadata (topic name and attributes) </li>
  <li> Message metadata (subject, message ID, timestamp, and attributes) </li>
  <li> Data protection policy </li>
  <li> Per-topic metrics </li>
</ul>
<p>Then, make sure that any publishers have the <code>kms:GenerateDataKey*</code> and <code>kms:Decrypt</code> permissions for the AWS KMS key.</p>
<p>See <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html#sns-what-permissions-for-sse">AWS SNS Key Management
Documentation</a> for more information.</p>
<h2>Sensitive Code Example</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html"><code>aws_cdk.aws_sns.Topic</code></a></p>
<pre>
import { Topic } from 'aws-cdk-lib/aws-sns';

new Topic(this, 'exampleTopic'); // Sensitive
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.CfnTopic.html"><code>aws_cdk.aws_sns.CfnTopic</code></a></p>
<pre>
import { Topic, CfnTopic } from 'aws-cdk-lib/aws-sns';

new CfnTopic(this, 'exampleCfnTopic'); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.Topic.html"><code>aws_cdk.aws_sns.Topic</code></a></p>
<pre>
import { Topic } from 'aws-cdk-lib/aws-sns';

const encryptionKey = new Key(this, 'exampleKey', {
    enableKeyRotation: true,
});

new Topic(this, 'exampleTopic', {
    masterKey: encryptionKey
});
</pre>
<p>For <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_sns.CfnTopic.html"><code>aws_cdk.aws_sns.CfnTopic</code></a></p>
<pre>
import { CfnTopic } from 'aws-cdk-lib/aws-sns';

const encryptionKey = new Key(this, 'exampleKey', {
    enableKeyRotation: true,
});

cfnTopic = new CfnTopic(this, 'exampleCfnTopic', {
    kmsMasterKeyId: encryptionKey.keyId
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html">AWS Documentation</a> - Encryption at rest </li>
  <li> <a href="https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/">Encrypting messages published to
  Amazon SNS with AWS KMS</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222588">Application Security and
  Development: V-222588</a> - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at
  rest. </li>
</ul>
